Privacy Policy

Last updated: February 18, 2026

Legal notice

This policy governs current OptivexIQ operations. Corporate registration details will be published on this page when final filings are complete.

1. Controller Identity

This Privacy Policy applies to OptivexIQ and its SaaS platform.

  • Legal entity: OptivexIQ (registration details pending final publication).
  • Registered address: Available upon verified legal request.
  • Registration number: Will be published once issued by the registrar.
  • VAT number: Will be published once applicable registration is complete.
  • Privacy contact: privacy@optivexiq.com
  • General support: support@optivexiq.com

Data Protection Officer (Art. 37 GDPR): At this stage, we have determined that formal DPO appointment is not mandatory based on current processing scope and scale. We monitor this assessment and will appoint a DPO if legal thresholds are met. Privacy-related requests should be sent to privacy@optivexiq.com.

2. Definitions

  • Controller: the entity deciding why and how personal data is processed.
  • Processor: a third party processing personal data on our behalf.
  • Personal data: any information related to an identified or identifiable natural person.
  • Customer: a business user or organization using our services.
  • Service: the OptivexIQ web platform, APIs, reports, and related operations.

3. Categories of Data We Process

3.1 Account and identity data

Name, email address, authentication identifiers, account role, organization profile data, and account lifecycle timestamps.

3.2 Billing and subscription data

Plan selection, billing status, payment provider customer and subscription IDs, transaction references, invoices, tax-related records, and anti-fraud signals.

3.3 Service usage and technical data

Request logs, usage counters, rate-limit events, IP address, device or browser metadata, security event logs, and service diagnostics.

3.4 Analysis input data

Submitted website URLs, optional competitor URLs, optional analysis context, and content extracted from publicly accessible pages for conversion analysis workflows.

3.5 AI processing data

Prompt inputs and structured outputs needed to generate reports, diagnostics, scoring, summaries, and recommendations.

3.6 Support and communications data

Contact form submissions, support conversations, feedback requests, issue reports, and response metadata.

4. Purposes, Principles, and Legal Bases

We process personal data in accordance with Article 5 GDPR principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. We apply a risk-based approach to technical and organizational controls based on processing sensitivity and potential impact on data subjects.

Contract performance (Art. 6(1)(b)): account provisioning, subscription management, report generation, feature delivery, and customer support.

Legitimate interests (Art. 6(1)(f)): service security, abuse prevention, operational monitoring, reliability, product improvement, and incident response.

For processing based on legitimate interests, we perform and document balancing assessments considering necessity, proportionality, and impact on data subjects. You have the right to object to such processing under Article 21 GDPR.

Legal obligation (Art. 6(1)(c)): tax/accounting retention, compliance response, and lawful disclosure duties.

Consent (Art. 6(1)(a)), where required: optional communications and non-essential cookies/analytics where local law requires consent.

5. Data Processors and Recipients

We use vetted processors to operate the service. Typical categories include hosting and infrastructure, database and authentication, payment processing (LemonSqueezy), email delivery, AI model APIs, and observability tools. Processors are bound by contractual and security obligations.

We may also disclose data to public authorities where legally required, or in connection with legal claims, audits, or corporate transactions.

Where required, we provide a Data Processing Agreement (DPA) for customer review and execution. For customer-submitted URLs and analysis content, OptivexIQ acts as a processor/service provider for instructed analysis workflows. Customers remain responsible for ensuring they have lawful rights and legal basis to submit URLs and related content for processing.

We may use anonymized and aggregated usage information, which does not identify individuals or specific customers, for service reliability, security, and product improvement.

Our subprocessor list is available upon request at privacy@optivexiq.com and may be updated as operational needs evolve. For material subprocessor changes affecting data handling, we provide advance notice through appropriate customer communication channels where feasible.

6. International Data Transfers

When data is transferred outside the EEA/UK/Switzerland, we apply lawful safeguards such as the European Commission Standard Contractual Clauses (SCCs), adequacy decisions where available, and additional technical/organizational controls appropriate to transfer risk.

Transfer safeguards are supported by risk-based controls including contractual controls, access restrictions, encryption safeguards, and vendor due diligence proportionate to transfer risk.

7. AI Processing and Website Analysis Disclosure

  • We process submitted URLs and content extracted from publicly accessible webpages to generate conversion diagnostics and structured recommendations.
  • AI outputs are probabilistic and intended as decision support, not legal, financial, or regulatory advice.
  • We do not guarantee that third-party website content is complete, current, accurate, or legally reusable for any downstream purpose.
  • Customers are responsible for downstream use of outputs and for independent review before business, legal, or compliance decisions.
  • We implement schema validation and integrity checks to reduce output corruption and malformed responses.
  • We do not use submitted customer data for unrelated advertising.

8. Automated Decision-Making and Profiling

We use automated scoring and analytical models to classify messaging risk and prioritize recommendations. These outputs do not create legal effects for individuals and are intended for business decision support by customer teams.

Data subjects may have rights under Article 22 GDPR, including the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, except where legal exceptions apply.

9. Cookies and Analytics

We may use essential cookies for authentication, session continuity, and security. Non-essential analytics or performance cookies are used only where lawful under applicable EU cookie rules and, where required, based on user consent.

10. Data Subject Rights

Subject to applicable law, you may request:

  • Access to your personal data.
  • Rectification of inaccurate data.
  • Erasure of data under Article 17.
  • Restriction of processing.
  • Data portability.
  • Objection to processing based on legitimate interests.
  • Withdrawal of consent for consent-based processing.
  • Rights related to automated decision-making as described in Article 22 GDPR.

Some requests, including erasure requests, may be limited or refused where processing is required for legal obligations, legal claims, security investigations, fraud prevention, or other lawful retention grounds.

11. How to Exercise Rights

Submit requests to privacy@optivexiq.com from your account email or with sufficient verification information. We will verify identity before processing rights requests and respond within statutory timelines.

We may request additional identity verification information where needed to prevent unauthorized disclosure, deletion, or account manipulation.

12. Complaints

If you believe we have processed your data unlawfully, you may contact us first at privacy@optivexiq.com. You also have the right to lodge a complaint with your local supervisory authority in the EU/EEA and, where relevant, with the supervisory authority in the Controller's jurisdiction once final registration details are published.

13. Security Measures

We apply technical and organizational safeguards including access controls, principle of least privilege, encryption in transit, authenticated service boundaries, logging, and incident response procedures.

  • Encryption in transit (e.g., TLS/HTTPS) for data flows.
  • Encryption at rest where supported by our infrastructure and data stores.
  • Role-based and least-privilege access control policies.
  • Security monitoring, alerting, and incident triage governance.
  • Vendor onboarding and periodic security review practices for key processors.

14. Data Breach Handling

We maintain breach triage and response processes. Where required by law, we notify competent supervisory authorities and affected data subjects within statutory deadlines.

15. Retention

We retain personal data only for as long as necessary for service delivery, security, legal obligations, and dispute resolution. See our detailed retention schedule in Help Center.

16. Children

The service is designed for business users and is not directed to children under 16. We do not knowingly collect personal data from children under 16.

17. Policy Changes and Versioning

We may update this policy to reflect legal, technical, or operational changes. Material updates will be published on this page with a revised "Last updated" date.

Current version: Privacy Policy v2.0 (Current legal version).